Firefox Browser Usage and Support Forum

The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

What percentage of cyclists wear a cycle helmet? Not that many, but strangely there aren't many cyclists who'd argue that they're prefer to be knocked off their bike WITHOUT a helmet vs. WITH a helmet.... so just because not many people do 'X' doesn't mean that 'X' is a bad idea.

Put another way, if MSFT were writing the security bulletin for this issue, they'd say something like: "Mitigating factors: In an attack of this exploit, customers would have to be running Firefox with Administrator rights. Best Practice and the MSFT blah-blah-blah deployment guides would ALWAYS suggest running with least privilege. Yes, it's a real pain, and No, most of our own applications won't work, but our lawyers say if suggest running with least privilege and you decide not to, it's your problem not ours."

...Symantec's biannual Internet Security Threat Report, the last six months saw a significant uptick in the number of security vulnerabilities found in web browsers. Leading the way was Firefox, with 47 bugs discovered. Researchers and hackers discovered 38 vulnerabilities in Internet Explorer...

Symantec's report counted many bugs that were actually Windows issues and such. Don't recall the details.

In any case, I don't think any one is discounting the fact that all browsers have security problems. The fact remains that FF and other are far more secure than IE and the developers are constantly working on improvements which can be issued at any time while IE developers can take years.

EDIT: And now PC World reports that iDefense, a division of VeriSign, does not consider this exploit critical and found the exploit to be 'unreliable'.

If an exploit making use of the vun has to resort in things appearing in a particular place in relation to something else then some existing protective elements would make the exploit unreliable.

The Javascript handling code has in the past exhibited a number of failures that involve memory curruption, this can be used to construct an exploit, but if things move because of any configuration options or location that code segments get loaded at relative to others and the exploit, things don't always go the way the exploit builder intended.

If the user is running as an user in Linux this isn't a major problem (compared to others), running as a user in the Windows world is probably not the norm, so it can really hurt.

All software has gotchas, some gotchas can cause more problems than others.

It's obvious every program has bugs and the more complete it is, the more they have.

If you load up a program with constant memory overflow checks it starts to crawl.

The difference is that IE is on a fixed 30 day cycle so the black-hats know they can release a deadly bug into the wild 24 hours after patch Tuesday and get a full month out of it (or more). Unless it's a DRM bug, and that will get fixed within a day or two.

Firefox responds much quicker once there is a threat. It's also far more customizable.

When IE has a bug like this they say to entirely disable the feature and you are stuck for at least a month like that (or more).

At least with Firefox you can instantly add an extension to toggle javascript off on unknown websites.

I don't use Firefox because I hate IE, I use Firefox because I don't know how I got anything else done before I used it!

The more people using firefox, the more hackers will focus on it, the more exploits will be found, the more people will realize that finally, Microsoft didn't do such a bad job with such a large share of market.

Not true. IIS has many more attacks than Apache, yet Apache controls 65% of web servers or more.

There is a book out that studies and discounts the 'more popular more attacks' theory. It addressed open source, particularly, and said it would not happen because open source is considered created by the proverbial 'we' and 'us'.

Another thought on this is to consider attacks on Firefox or Opera on Linux vs Windows systems. Many vulnerabilities are the result of weaknesses in the OS and not the browser.